Ledger Bounty Program
Get rewards for finding bugs
Ledger is following the famous Kerchoff’s principle: the security of our products does not rely on obscurity. While we aim to open source our solution to the greatest extent possible,the code running in our Secure Element remains closed source (due to NDA requirements). We’re aiming to bridge the Secure Hardware to the Open Source world. As we can’t share our whole implementation, we want to insist on our Bounty Program. Our security team is striving to develop the most secure hardware wallet.
But in security matter, things are not set once forever. We built a versatile architecture based on dedicated secure hardware in order to allowing us to continuously improve the security of our products.
As there’s always a chance, we missed some specific points, if ever you discover a security related bug, we’ll appreciate your precious help and cooperation. Moreover, we’ll reward it.
Responsible acts, responsible disclosure
As our devices are used to secure monetary assets, a responsible disclosure process shall be observed. This is common sense, and usual practice, but it’s recalled to avoid any misunderstanding. Whenever you find a security related bug or a vulnerability, please follow these general guidelines:
- Do not disclose the bug to anyone without our consent
- Only target your own device
- Do not actually attack other users to prove your point
Simply send us a mail at [email protected] explaining the main lines of the security issue. In this first mail do not disclose the details of the found vulnerability.
Please use this email only for security topics, all other subjects like customer support requests will be ignored. Then you’ll be taken in hand by our security team. The usual process is the following:
- We provide you a GPG public key.
- You send us in encrypted form all the details allowing us to reproduce the bug/attack/exploit, or at least enough information to understand the flaw.
- We take the necessary time to investigate the reported bug.
- We inform you of what are the next steps and the potential timeline
- The mitigation or fix is implemented and deployed, waiting enough time to keep our users safe
- We send you a reward
- In a transparent process, we disclose the issue and display you on our Wall of Fame (with your authorization of course)
- bugs not responsively reported and investigated
- DOS on our website
- bugs on our desktop app (except if they can lead to attack vectors)
- DOS on our nodes or any part of our infrastructure
In all cases, don’t try to attack our infrastructure.
A various kind of security related bugs are eligible to our bounty program. Globally, any information which significantly help us to improve the security of our products will be rewarded. In some cases, bugs concerning User Experience may be rewarded, if they are security related.
Following bugs will be especially rewarded:
- Apps loaded on a Ledger devices allowing to break isolation
- Breaking the confidentiality assumption on Ledger’s device (i.e.access to critical information such as the seed or a private key)
- PIN bypass
- Remote code execution
This list is not exhaustive, some less critical bugs may also be rewarded such as (remotely) crashing the device, unexpected seed erase…
In specific cases, security related bugs on our website may also be rewarded.
The reward will depend on the criticality of the discovered bug, the beauty of the exploit and your precious help. The amount is totally at our discretion. But we’re trying to be fair between the discovered bugs, rewarding using the same methodology.
For a given bug, only one reward will be given, for the first to submit it.